Trends of malware and digital products sales on darknet marketplaces

There is a growing number of research studies examining the operations of various darknet markets, or cryptomarkets, with special emphasis on illicit drug trading, which represents the majority of product lists on most of these darknet marketplaces. A recently published paper analyzed these markets with a focus on trading malware, forged documents, stolen credentials, and “crime-as-a-service” type of products. We will look at some of the results presented via this paper throughout this article.

The crime-ware products offered for sale on darknet markets include various popular hacking and social engineering tools (such as ransomware, keyloggers, viruses, trojans, etc.,) in addition to forged documents (such as passports, IDs, driver’s license, customs documents, etc.). Moreover, among the popularly traded malware is mobile phone zero-day exploits.

Malware sales on Dream Market:

The study tracked Dream Market, which has been operating since 2013 and is by far the largest darknet anonymous marketplace currently. On any given day, there is an average of 100,000 illicit product listings, most of which are drugs, yet also malware or digital products. For example, on April 14, 2018, the study showed that 51.1% of products listed for sale comprised illicit drugs, while 41.6% involved digital products, hacking tools, malware, and various forms of counterfeit documents and stolen credentials.

As when compared to Alphabay, Dream Market is significantly smaller. Prior to its shutdown in July 2017, Alphabay was one of the biggest cryptomarkets to ever exist on the darknet, with over 40,000 vendors selling over 369,000 products to around 200,000 customers. By the time it was taken down by “Operation Bayonet”, there were around 250,000 product listings for illicit drugs, and around 100.000 product listings involving malware, counterfeit identification documents, computer hacking tools, fraudulent services, and firearms.

The analysis of Dream Market found anomalous online trends involving the cost and availability of malware or crime-ware, as well as forged documents’ product listings of this anonymous darknet marketplace. On average, around 12,000 different digital products were listed for sale at any time on Dream Market during the period of data collection. Compromised credit cards and bank accounts comprised the majority of sold digital products (71.6%), followed by popular hacking kits such as Spyeye, Zeus, phishing kits, and educational tutorials for hacking. Stolen credentials were often offered for sale in the form of batches of multiple accounts, and their prices varied according to the face value of the compromised credit card. Less commonly sold digital products involved specific malware tools such as ransomware and DDoS kits, in addition to various exploits like viruses. This can be best understood with the table below.

Generally speaking, the cost of most of these digital products was relatively low. Nevertheless, a few digital products were very expensive including trojans, and other vulnerabilities. For instance, a modified version of the ransomware, “Ransomware-ALM4 Locker”, was briefly offered for sale at AU$3,848. This price was 60x greater than the price of stock ransomware, and attracted high levels of interest due to its novelty. The higher prices associated with fake IDs or documents reflect the significance of “document fraud” as one of the key tools of organized crime; a key tool of course in addition to money laundering and the illicit online trade which have the potential to disrupt established real world criminal markets and their conventional distribution models during the next few years.

Malware sales on 0day.today:

The study also analyzed digital products sold on 0day.today, a darknet “grey” market and forum for malware, with emphasis on zero day exploits. The study detected sales of over AU$5,000 for Apple iOS exploits, iCloud privilege elevation tools, and Windows 2010 exploits.

Final thoughts:

Malware, hacking tools, and crime service e-commerce is thriving on anonymous darknet markets. Oppositely to drugs sold on darknet markets, and eventually on the street, which are stealthily packaged, and shipped via postal or courier services, digital and malware products offer no chances for interdiction. On the other hand, monitoring of darknet markets can offer some valuable data that can help in the anticipation of the available types of malware and their harms, as well as, their potential victims and targeted vulnerabilities.

One comment

The website posted at the end 0day.today is a well known scam site, avoid it. There have been many complaints about it just Google.

If anyone had a decent exploit they would use it or sell it to zerodium (which has news articles on BBC news, CNN etc…) which is also a legal company operating in America.

So why would any serious seller use one of these sites where they are breaking the law, get less money, probably get scammed by the website or customer, and can’t put on their CV (resume in American English) that they found a 0day.